Hotel chain Marriott International has been fined £18.4 million over a data breach which is estimated to have affected around 339 million customers.
The sum demanded by the Information Commissioner's Office (ICO) is reduced from the £99 million initially announced in July last year, owing to the economic impact of Covid-19 and steps taken by the firm to mitigate the effects of the incident.
Marriott said it does not intend to appeal over the decision, but makes "no admission of liability in relation to the decision or the underlying allegations".
READ MORE: Scottish housebuilder Cruden to complete 1,500 new homes this year despite Covid
A cyber attack, from an unknown source, affected the systems of the Starwood hotels group in 2014 but was not detected until 2018, two years after Starwood was acquired by Marriott.
Starwood hotels include Trump Turnberry in Ayrshire, London's Park Lane Sheraton Grand, Westbury Mayfair and Le Meridien Piccadilly.
It is believed the personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests' VIP status and loyalty programme membership number.
The exact number of people affected is unclear as there may have been multiple records for an individual guest, but around seven million records relate to people in the UK.
READ MORE: Donald Trump's Scottish golf courses to receive £1m tax rebate as part of government coronavirus bailout
The ICO said its investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems.
"Personal data is precious and businesses have to look after it," said Information Commissioner Elizabeth Denham.
"Millions of people's data was affected by Marriott's failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.
"When a business fails to look after customers' data, the impact is not just a possible fine - what matters most is the public whose data they had a duty to protect."
Because the incident happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR (General Data Protection Regulation).
The data regulator said it acknowledges that Marriott acted promptly to contact customers and has since instigated a number of measures to improve the security of its systems.
"Marriott deeply regrets the incident," the firm said in a statement.
"Marriott remains committed to the privacy and security of its guests' information and continues to make significant investments in security measures for its systems, as the ICO recognises.
"The ICO also recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.
"Marriott wants to reassure guests that the incident and the ICO's decision involved only Starwood's separate network, which is no longer in use."
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel